When it comes to IT risk and cybersecurity in European banks, the supervisor's reports are becoming increasingly familiar. The latest synthesis reveals persistent gaps that are concerning, especially given what I see as continuous delays in essential transformations.
Based on both self-assessments by financial institutions and 22 inspection missions conducted in 11 countries by the European Central Bank since 2020, the report first notes a significant increase in the severity and extent of identified weaknesses. A second key finding is the growing concern over the outsourcing of services, a sensitive point in analyses over the years, now moving to the forefront in several aspects.
On one hand, there's an increase in actual losses, usually due to unavailability or poor quality of concerned capacities. Though based on a small number of high-impact incidents, this highlights the need for enhanced control over reliance on third-party providers, indicating the critical nature of the components entrusted to them, even if their share in total tech expenses remains stable (with cloud computing growing, yet still marginal).
On the other hand, this trend raises a specific worry: with only a few serious and robust cloud solution operators considered by banks, the ECB fears a risk concentration effect. This is especially problematic since plans for exit strategies and emergency responses are often neglected, poorly prepared, or at least under-tested (who has really tested the platform switch planned in case of a failure?).
Long concerned with the numerous obsolete IT components still performing fundamental functions in most institutions, the regulator is somewhat relieved by the decrease in production anomalies caused by strategic projects, which are, however, increasing. Yet, these dangers remain the primary cause of recorded service interruptions. Consequently, greater attention to processes and change governance is deemed essential. The most sensitive projects (like banking core renovations), in my view, are yet to come, making this recommendation crucial.
Finally, the most delicate (and recurrent) issue discussed in the report transcends all these aspects (and others not mentioned here): it's about skills. Adopting a moderate viewpoint, the ECB links the exposed deficiencies to a lack of understanding of IT in the highest decision-making structures of banks. I would add a loss of internal technical expertise, especially in development teams often made up solely of external personnel who do not grasp the sector's requirements and are left without dedicated supervision in risk and cybersecurity areas.